Track public SSH key in rootfs overlay

Hello,

I am trying to set up a device (imx8m-plus) running Torizon OS (6.8.0) so that I can SSH into it without password. But, I want to then make that part of the rootfs overlay of the image.

Thus, I modified /etc/ssh/sshd_config on the target with this line:

AuthorizedKeysFile /etc/ssh/.auth/%u/authorized_keys	.ssh/authorized_keys

On my host, I create SSH credentials:

dev@dev-VirtualBox:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dev/.ssh/id_rsa): /home/dev/custom/.ssh/torizon_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/dev/custom/.ssh/torizon_rsa
Your public key has been saved in /home/dev/custom/.ssh/torizon_rsa.pub
The key fingerprint is:
SHA256:sw/uzZp7axG9N4pBGs/lp90gzIjqZtrN78y/qnGA4tc dev@dev-VirtualBox
The key's randomart image is:

Then I install the public key in /etc/ssh/.auth/torizon/authorized_keys:

$ scp /home/dev/custom/.ssh/torizon_rsa.pub torizon@192.168.1.114:/home/torizon
torizon@192.168.1.114's password:
torizon_rsa.pub                                                                            100%  396     0.4KB/s   00:00
$ ssh torizon@192.168.1.114
torizon@192.168.1.114's password:
Last login: Thu May  2 16:09:13 2019 from 192.168.1.3
# sudo -i
# cat torizon_rsa.pub >> /etc/ssh/.auth/torizon/authorized_keys
# rm torizon_rsa.pub
# exit
logout
Connection to 192.168.1.114 closed.

However, if I try to connect from my host, the password is still required:

dev@dev-VirtualBox:~$ ssh torizon@192.168.1.114 -i /home/dev/custom/.ssh/torizon_rsa 
torizon@192.168.1.114's password: 

I don’t understand what I am missing. Is there a guide somewhere?

Best regards,

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


:handshake:

To set up passwordless SSH access and make it part of the root filesystem overlay in Torizon, you need to ensure a few things:

  1. Correct Configuration of sshd_config:
    Ensure that the AuthorizedKeysFile directive in /etc/ssh/sshd_config is correctly set. It seems you have already done this:

    AuthorizedKeysFile /etc/ssh/.auth/%u/authorized_keys .ssh/authorized_keys
    
  2. Correct Placement of the Public Key:
    The public key should be placed in the directory specified by the AuthorizedKeysFile directive. In your case, it should be /etc/ssh/.auth/torizon/authorized_keys.

  3. Permissions:
    Ensure that the permissions of the .ssh directory and the authorized_keys file are correct. SSH is very particular about file permissions. The .ssh directory should have 700 permissions, and the authorized_keys file should have 600 permissions.

  4. Rootfs Overlay:
    To make this part of the root filesystem overlay, you need to create an overlay directory structure on your host and then use TorizonCore Builder to apply it.

Here are the steps to achieve this:

Step-by-Step Guide

  1. Create the Overlay Directory Structure:
    On your host machine, create the necessary directory structure for the overlay:

    mkdir -p overlay/etc/ssh/.auth/torizon
    
  2. Copy the Public Key:
    Copy your public key to the overlay directory:

    cp /home/dev/custom/.ssh/torizon_rsa.pub overlay/etc/ssh/.auth/torizon/authorized_keys
    
  3. Set Correct Permissions:
    Set the correct permissions for the .auth directory and authorized_keys file:

    chmod 700 overlay/etc/ssh/.auth
    chmod 700 overlay/etc/ssh/.auth/torizon
    chmod 600 overlay/etc/ssh/.auth/torizon/authorized_keys
    
  4. Create the Overlay with TorizonCore Builder:
    Use TorizonCore Builder to apply the overlay to your Torizon image:

    torizoncore-builder bundle --overlay-dir overlay
    
  5. Deploy the Updated Image:
    Flash the updated Torizon image with the overlay to your device.

Validate the Setup

Greetings @mnano,

I just tried the exact same steps on my setup and it seems to work okay for ssh without a password. Did you reboot the device after you changed /etc/ssh/sshd_config so that the new configuration changes would take effect?

Best Regards,
Jeremias

Hello,

Yes I did reboot the device so that the new configuration take effect.
Since it works on your setup, there is something wrong with mine but I cannot figure out what.

Best regards,

Dear @mnano,

I tried the same process on my side and it seemed to work fine. I saw from your post that you are using VirtualBox. Potentially this could be the cause to the issues you are experiencing, although I am uncertain why. Maybe @jeremias.tx has an idea?

Best regards
Collin

Hi @mnano, Try to connect using ssh -vvv to see what is wrong.

Hi, I am not sure I can identify where it went wrong:

dev@dev-VirtualBox:~$ ssh -vvv torizon@10.85.0.116 -i /home/dev/repos/my-app/torizon_rsa.pub
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.85.0.116 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/dev/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/dev/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.85.0.116 [10.85.0.116] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/dev/repos/my-app/torizon_rsa.pub type 0
debug1: identity file /home/dev/repos/my-app/torizon_rsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.85.0.116:22 as 'torizon'
debug3: record_hostkey: found key type ED25519 in file /home/dev/.ssh/known_hosts:18
debug3: load_hostkeys_file: loaded 1 keys from 10.85.0.116
debug1: load_hostkeys: fopen /home/dev/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:yKcBNQxTgljMnwXAvZSzQiMKeUKXLXM+8ffv+bvvI1U
debug3: record_hostkey: found key type ED25519 in file /home/dev/.ssh/known_hosts:18
debug3: load_hostkeys_file: loaded 1 keys from 10.85.0.116
debug1: load_hostkeys: fopen /home/dev/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.85.0.116' is known and matches the ED25519 host key.
debug1: Found key in /home/dev/.ssh/known_hosts:18
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: dev@dev-VirtualBox RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958 agent
debug1: Will attempt key: dev@dev-VirtualBox RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s agent
debug1: Will attempt key: /home/dev/repos/my-app/torizon_rsa.pub RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: dev@dev-VirtualBox RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958 agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: dev@dev-VirtualBox RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/dev/repos/my-app/torizon_rsa.pub RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
torizon@10.85.0.116's password: 

I think you need to pass the private key’s path as a parameter to ssh -i not the public one.

Does not really changes anything:

dev@dev-VirtualBox:~$ ssh -vvv torizon@10.85.0.116 -i /home/dev/repos/my-app/build/torizon_rsa
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.85.0.116 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/dev/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/dev/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.85.0.116 [10.85.0.116] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/dev/repos/my-app/build/torizon_rsa type 0
debug1: identity file /home/dev/repos/my-app/build/torizon_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.85.0.116:22 as 'torizon'
debug3: record_hostkey: found key type ED25519 in file /home/dev/.ssh/known_hosts:18
debug3: load_hostkeys_file: loaded 1 keys from 10.85.0.116
debug1: load_hostkeys: fopen /home/dev/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:yKcBNQxTgljMnwXAvZSzQiMKeUKXLXM+8ffv+bvvI1U
debug3: record_hostkey: found key type ED25519 in file /home/dev/.ssh/known_hosts:18
debug3: load_hostkeys_file: loaded 1 keys from 10.85.0.116
debug1: load_hostkeys: fopen /home/dev/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.85.0.116' is known and matches the ED25519 host key.
debug1: Found key in /home/dev/.ssh/known_hosts:18
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: dev@dev-VirtualBox RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958 agent
debug1: Will attempt key: dev@dev-VirtualBox RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s agent
debug1: Will attempt key: /home/dev/repos/my-app/build/torizon_rsa RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: dev@dev-VirtualBox RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958 agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: dev@dev-VirtualBox RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/dev/repos/my-app/build/torizon_rsa RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
torizon@10.85.0.116's password: 

What you can try as described here:

  1. try to run ssh server in debug mode using different port on your toradex board: /usr/sbin/sshd -d -p 2222
  2. and try to connect to that port from your VM using: ssh -vvv torizon@10.85.0.116 -i /home/dev/repos/my-app/build/torizon_rsa -p 2222

Check server side debug logs to see the error.

That is indeed clearer information:

root@verdin-imx8mp-12345678:~# /usr/sbin/sshd -d -p 2222
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.14 4 Jun 2024
debug1: private host key #0: ssh-rsa SHA256:h20ElQUH7DHKR0uIG0bKl75ZokVVrjFOiWLMRLk4KFw
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:k/cuU023gMfD9tSKzxqXo6LuZpYkkCo0+jTRmdcQRxI
debug1: private host key #2: ssh-ed25519 SHA256:yKcBNQxTgljMnwXAvZSzQiMKeUKXLXM+8ffv+bvvI1U
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.14 4 Jun 2024
debug1: private host key #0: ssh-rsa SHA256:h20ElQUH7DHKR0uIG0bKl75ZokVVrjFOiWLMRLk4KFw
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:k/cuU023gMfD9tSKzxqXo6LuZpYkkCo0+jTRmdcQRxI
debug1: private host key #2: ssh-ed25519 SHA256:yKcBNQxTgljMnwXAvZSzQiMKeUKXLXM+8ffv+bvvI1U
debug1: inetd sockets after dupping: 3, 3
Connection from 10.85.0.110 port 53484 on 10.85.0.116 port 2222 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 998/998 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user torizon service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "torizon"
debug1: PAM: setting PAM_RHOST to "10.85.0.110"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user torizon service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958 [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /etc/ssh/.auth/torizon/authorized_keys
debug1: Could not open authorized keys '/etc/ssh/.auth/torizon/authorized_keys': Permission denied
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/torizon/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/torizon/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for torizon from 10.85.0.110 port 53484 ssh2: RSA SHA256:4vttI1/o9slhn1aSpd4vifr10LBE5pUnNAQ8N8TK958
debug1: userauth-request for user torizon service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /etc/ssh/.auth/torizon/authorized_keys
debug1: Could not open authorized keys '/etc/ssh/.auth/torizon/authorized_keys': Permission denied
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/torizon/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/torizon/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for torizon from 10.85.0.110 port 53484 ssh2: RSA SHA256:A1gSUztE8ccHefiT6Mxxlb6w5p+leXbXdYHbDPq/L0s
debug1: userauth-request for user torizon service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 2 [preauth]
debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /etc/ssh/.auth/torizon/authorized_keys
debug1: Could not open authorized keys '/etc/ssh/.auth/torizon/authorized_keys': Permission denied
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/torizon/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/torizon/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for torizon from 10.85.0.110 port 53484 ssh2: RSA SHA256:bTA/RCVDWIhjvWwAylzq5sn6Kt90vGbKz0fepZBXvzI
Connection closed by authenticating user torizon 10.85.0.110 port 53484 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 189778

But It seems to me that I have the right permissions?

root@verdin-imx8mp-12345678:~# ls -lah /etc/ssh/.auth/torizon/
total 12K
drwx------ 2 root    root 4.0K Aug 26 08:40 .
drwx------ 3 root    root 4.0K Aug 26 07:58 ..
-rw------- 1 torizon root 1.7K Aug 27 05:39 authorized_keys

Not sure but you can try: chown torizon:torizon authorized_keys

Changing ownership and modes around, I can get ssh to root to work but not to torizon user and only by setting StrictModes no in sshd_config.
Otherwise I get Authentication refused: bad ownership or modes for directory / or debug1: Could not open authorized keys '/etc/ssh/.auth/torizon/authorized_keys': Permission denied. Depending on the exact ownership/modes situation.
The location of the folder seems to be problematic for me.

1 Like

Hmm this is very strange behavior you’re observing. For reference on my working setup here’s what my permissions look like:

$ ls -lah /etc/ssh/.auth/torizon/
total 12K
drwxr-xr-x 2 root root 4.0K Aug 26 20:55 .
drwxr-xr-x 3 root root 4.0K Aug 26 20:53 ..
-rw-r--r-- 1 root root  569 Aug 26 20:55 authorized_keys

So maybe it needs to be root/root for authorized_keys?

Best Regards,
Jeremias

Dear @mnano,

Have you been able to try out @jeremias.tx’s suggestion?
Were you able to resolve your issue?

Best regards,
Collin

I also had tried exactly the same permissions before and it did not work on my side.
I went in another direction for the project. I might not be able to take another look at this issue for a long time.